Cyber 321: 13th August 2021 - Cybersecurity Without Insanity

Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.

This week: Length matters (snigger snigger). If you pay a ransomware demand, expect more ransomware. And why there will be no end to your clients asking you about your cybersecurity defences.

This week’s action: Do the maths on your backups.

>>>>> THREE ARTICLES <<<<<

1: Paying the ransom is just the beginning.

“80% of organisations that paid a ransom demand experienced a second attack, of which 46% believed the subsequent ransomware [attack] to be caused by the same hackers.”

You can’t trust criminals. Shocking.

2: Backups are critical. But confirming they can actually be used (and that you can survive while you complete the restores) is also important.

“Experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups is that nobody at the victim organization bothered to test in advance how long this data restoration process might take. [..]they never actually tried to restore their network from backups before, so they have no idea how long it’s going to take. [..] A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.

Another gap is when the victims “discover that the digital key needed to decrypt their backups was stored on the same local file-sharing network that got encrypted by the ransomware”.

3: Trust gives a free pass.

“Third-party software solutions are key to keeping business running smoothly, but come with the risk of undetected or zero-day threats.”

“The most frightening part of this third-party problem? Trust. Companies remain vigilant for ransomware attacks on their networks. Meanwhile, trusted third-party providers often get a free pass into corporate systems because they’ve never been the source of problems in the past. The result is an infosec complacency that can lead to serious security risk.”

This is why enterprises will increasingly seek assurance (and evidence) from their suppliers to confirm they are not at risk, and why enterprises will be reluctant to let any new supplier in the door without sufficient evidence.

>>>>> TWO STATISTICS <<<<<

1: 8

Length matters (for once).

The UK’s National Cyber Security Centre recommends that we no longer force users to set ‘complex’ passwords with a minimum length of 8 characters. Instead, it recommends passwords should be longer and less complex – For example, by using a combination of three random words.

The ‘de facto’ standard for many years has been a minimum of 8 characters, with at least one upper-case letter, a number and a non-alphanumeric symbol. But the reality is, the automated scripts used by hackers have no difficulty with case sensitivity, numerics or special characters – But humans do. So, we have inadvertently encouraged users to reuse passwords. We have scored a security own goal. It’s time to break the groupthink and rethink our password policies.

2: 700

The number of ‘money mule’ transactions that moved through Irish bank accounts in the first six months of this year, according to the Banking and Payments Federation of Ireland (BPFI). As I’ve mentioned before, make sure your friends and family are aware that easy money will cause difficult future.

>>>>> ONE ACTION <<<<<

1: Do the maths

Your backups are a critical defence against ransomware. But follow Kreb’s advice and (1) calculate how long it would take to restore all of your systems simultaneously, (2) ensure any password or decryption key and software needed to restore the backups is stored somewhere safe and (3) make sure the backups are stored offline or in a system that is difficult for cyber attackers to reach from your network. Read more at https://krebsonsecurity.com/2021/07/dont-wanna-pay-ransom-gangs-test-your-backups/